By Brian McWilliams, Newsbytes
Mar 14 2002 12:27AM PT

When his cable modem service seemed to slow almost to a crawl last
spring, Matthew Hallacy did like most people and complained to technical
support at his Internet service provider, AT&T Broadband.

But after the sluggish performance persisted for weeks, Hallacy, a
Minnesota-based software engineer and networking expert, decided to take
matters into his own hands: he hacked his cable modem.

"Tech support told me it wasn't their fault and the service was going as
fast as it could. So I downloaded the specs for the modem off the Web
and started poking around to see if that was true," said Hallacy.

It wasn't long before Hallacy, 21, devised a trick for modifying an
obscure configuration file used by the service to control the settings
in his 3Com cable modem.

A few tweaks later, Hallacy's $50-per-month service, which had been
downloading data at a poky 75 kilobits per second (Kbps), was sweetly
humming along at much brisker speeds in both directions.

According to Hallacy, he hacked the modem just to prove that AT&T's
network management, and not his modem, was the performance bottleneck,
and he immediately changed the settings back.

But after successfully testing his technique for friends on other cable
modem services - and studying further the specifications for DOCSIS, the
standard interface used by most cable modem manufacturers - Hallacy
decided he had uncovered a bona fide security vulnerability.

This week, Hallacy submitted a description of his technique to two
e-mail discussion lists run by SecurityFocus.com that are read by
thousands of computer security aficionados.

Hallacy's message detailed how to trick a DOCSIS-compliant cable modem
into divulging its secret configuration file, and how to edit the file's
binary data using a free, open-source software program.

According to cable experts, Hallacy's trick is not new, and similar
techniques involving what are called TFTP servers have previously been
anonymously published on the Web.

But the description by Hallacy may be the most specific ever posted to
such a public forum. And experts said his claim that not only AT&T but
also some Comcast and Time Warner cable systems are vulnerable, may spur
operators to make changes to their networks - or risk similar poking and
prodding by other networking gurus.

AT&T Broadband spokesperson Andrew Johnson said the company takes
potential security issues seriously but was still investigating
Hallacy's report and had no immediate comment on his claims.

In an interview today, Hallacy claimed that changes to the configuration
file could do more than just remove the bandwidth caps put in place by
cable operators to manage their precious resources.

According to Hallacy, a savvy network programmer could change his
configuration file to intercept all data from other users on the
attacker's local area or "node".

"I or somebody like me could sit down in front a cable modem on AT&T's
network and have something like that running in less than half an hour,
and AT&T probably would never notice it," he claimed.

In some instances, the technique could potentially be exploited even to
take control of a cable ISP's gateway computers, alter their network
routing, and shift large amounts of traffic to a specified destination,
Hallacy claimed.

Officials from CableLabs, the nonprofit industry consortium that
developed DOCSIS, said the modem standard includes several mechanisms,
including something called "shared secret keys," that enable cable
operators to prevent users from making the sorts of modifications
claimed by Hallacy.

"The problem is real, but it's not because of a flaw in the
specification," said Rouzbeh Yassini, a senior CableLabs executive.

"When it's raining, some people decide to walk in the rain without an
umbrella," Yassini added, referring to cable operators who may have
neglected to configure their networks properly.

According to 3Com spokesperson Kim Sullivan, the big network equipment
maker discontinued its consumer cable modem business last summer.

"We currently do not have a product that is affected by the threat"
described by Hallacy, she said.

A Motorola representative noted that a forthcoming engineering change
from CableLabs will require cable modem vendors to implement a technique
for preventing subscribers from changing the modem's config file, and
that Motorola intends to implement the change.

Dave Ahmad, moderator of the Bugtraq security mailing list, said he did
not immediately approve Hallacy's submission because it described "how
to evade (cable operators') service restrictions" and because he was
"not sure what the benefit was to the community. Who is at risk if the
information is not made public?"

Ahmad posted his comments, along with Hallacy's advisory, in a message
Tuesday to the Vuln-Dev list, which published a pared back version of
Hallacy's report on Monday.

Hallacy said he debated the morality of publishing his hacking
instructions, but finally decided to do so as "a little bit of a smack
in cable companies' direction. People are exploiting this. It's one of
the reasons there's not enough bandwidth on some nodes, and they need to
fix it."

Hallacy's original submission to Bugtraq is at
http://online.securityfocus.com/archive/82/261454 .

CableLab's DOCSIS specs are online at
http://www.cablemodem.com/specifications.html .


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html